Security Protocols for Processor-Based Systems

ABSTRACT

A processor-based system such as a wireless communication module may implement security functions in a cost effective fashion by providing a virtual memory space whose addresses may be recognized. The memory is integrated with an application processor. When those addresses are recognized, access to special security protocols may be allowed. In another embodiment, a variety of dedicated hardware cryptographic accelerators may be provided to implement security protocols in accordance with a variety of different standards. By optimizing the hardware for specific standards, greater performance may be achieved.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.13/021,880 filed on Feb. 7, 2011, which is a continuation of U.S. patentapplication Ser. No. 10/105,201, filed on Mar. 25, 2002 which issued asU.S. Pat. No. 7,900,054.

BACKGROUND

This invention relates generally to processor-based systems and, inparticular embodiments, to processor-based systems capable ofimplementing wireless communications.

Wireless communications may be implemented by cellular telephones aswell as networked devices that use wireless protocols. A processor-basedsystem then communicates with other systems using an appropriatewireless protocol.

A number of security procedures may be implemented to enable securecommunications between two stations. In addition, it may be necessary toauthenticate a given communicator to insure that the communicator isauthorized to use the network such as a wireless telephone system.

Conventionally, security may be implemented through a dedicated moduleor plug-in card that includes its own separate processor-based systemincluding a processor and memory. Conventionally called subscriberidentity modules (SIMs), these processor-based systems functionrelatively independently of the system in which they are embedded. Theyprovide access to secure data such as a subscriber's identity. This datacontrol is enforced by an onboard processor.

The use of a removable SIM is a relatively high cost approach. Thededicated SIM adds significantly to the cost of the electronic systemthat it serves to protect.

Software techniques may also be used to provide security in electronicdevices. Software only security solutions are subject to compromise fromcoding errors, viruses, and hacker attacks.

Thus, purely hardware approaches may be subject to some deficiencies interms of cost and purely software approaches may be subject todeficiencies in terms of effectiveness.

Thus, there is a need for better ways to implement security protocols inprocessor-based systems, and in particular, those systems utilized forwireless communications.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic depiction of one embodiment of the presentinvention;

FIG. 2 is a flow chart for one embodiment of the present invention; and

FIG. 3 is a schematic depiction of another embodiment of the presentinvention.

DETAILED DESCRIPTION

Referring to FIG. 1, a processor-based system 10 may be implemented, inone embodiment, as a wireless communication device. Two examples of suchwireless communication devices include cellular telephones and networkeddevices, which communicate by a radio frequency signal.

An internal bus 16 couples a baseband processor 12 to a memory array 14.A digital signal processor 18 is also coupled to the bus 16 in oneembodiment. In one embodiment, the digital signal processor 18 mayinclude its own memory array 22 coupled to the processor 18 via a bus20.

In one embodiment, a subscriber identity module is not utilized andinstead, the security functions normally implemented through asubscriber identity module may be embedded within an applicationprocessor 25. Thus, a single integrated circuit may accomplish anapplication processing function and a subscriber identity module (SIM)function.

In general, an application processor 25 handles applications notdirectly involved in baseband operations. The application processor 25may have embedded storage 24 that may include a virtual SIM 24 a thatmay be a range of addresses dedicated to the SIM functions. In someembodiments, other components such as the baseband processor 12 may beintegrated with the application processor 25. Thus, in some embodiments,the virtual subscriber identity module 24 includes an access-restricted,dedicated range of addresses in a memory space 24.

In some cases, the virtual SIM 24 a may store software that implementsuser authentication, digital signatures, and the security protocols formobile commerce transactions as well as implementing the SIM functions.In some cases, dedicated hardware or a control logic may be used withthe virtual SIM 24 a and in other cases, the application processor 25may control the virtual SIM 24 a.

By integrating the virtual SIM 24 with the application processor 25, theability to hack or corrupt the SIM functions may be reduced. Inaddition, the overall system 10 may be made in smaller sizes and havereduced power consumption in some embodiments.

In some cases, the memory 24 may be formed of a nonvolatile memory suchas flash memory. In other cases, a volatile memory such as random accessmemory may be used together with a battery. In any case, the virtual SIM24 a address range within the memory 24 is physically integrated withthe application processor 25. In such case, the application processor 25may service the virtual SIM 24 a as it does the rest of the memory 24.Access to the virtual SIM 24 a may be controlled so that only certainapplications can access the address range represented by the virtual SIM24 a.

Referring to FIG. 2, the virtual SIM software 50 implements the virtualsubscriber identity module functions. In short, the software 50identifies particular instructions as bearing on particular addresses.If those addresses correspond to the space dedicated for securityprotocols, special privileges may be granted. In all other cases, accessto security protocols may be precluded.

When an instruction is received as indicated at block 52, it is checkedas indicated in diamond 54 to see if it relates to addresses in thededicated virtual SIM space 25. If so, access may be granted for theinstruction to various cryptographic features as indicated in block 56.Otherwise access privileges are not provided.

In some cases, the access to the security privileges may be implementedby providing an appropriate code word to the instruction. In othercases, the instruction may be allowed to access various hardware andsoftware features of the system 10 to implement cryptographic functions.

Thus, in some embodiments, both secure and non-secure processes mayutilize the same processing hardware, such as the baseband processor 12and digital signal processor 18. If, in some embodiments, the virtualSIM implementation is not wholly software based it may not requirededicated hardware and as a result may be a more cost effectivesolution.

Referring to FIG. 3, another processor-based system 10 a may include abaseband processor 12, a memory array 14, an internal bus 16, a digitalsignal processor 18, a digital signal processor bus 20, and a memoryarray 22 in some embodiments. Coupled to the internal bus 16 is an arrayof hardware cryptographic accelerators 26. For example, a DataEncryption Standard (DES) algorithm accelerator 30 a (See NationalBureau of Standards NBS FIPS PUB 46, “Data Encryption Standard”,National Bureau of Standards, U.S. Dept. of Commerce, January 1977), anAdvanced Encryption Standard (AES) (See J. Daemen, V. Rigmen, “The BlockCipher Rijndael,” Smart Card Research and Applications, LNCS 1820, J.-J. Quisquater and B. Schneier, Eds., Springer-Verlag, 2000, pp.286-296) or Rijndael algorithm accelerator 30 b, a RSA algorithmaccelerator 30 f (See R. L. Rivest, A. Shamir and L. M. Adleman, “AMethod for Obtaining Digital Signatures and Public-Key Cryptosystems”Communications of the ACM, v. 21, n. 2, February 1978, pp. 120-6.), aSecuring Hash Algorithm, (SHA-1) accelerator 30 e (See National Bureauof Standards and Technology, NIST FIPS PUB 186, “Digital SignatureStandard” U.S. Department of Commerce, May 1994), a Message Digest 5(MD5) algorithm accelerator 30 d (See R. L. Rivest, “The MD5 MessageDigest Algorithm”, RFC 1320, April 1992) may be included as well asadditional algorithm accelerators 30 c. Thus, the array 26 may include awide variety of hardware based security algorithm accelerators includingone way hash function (SHA-land MD5). The system may use the virtualsubscriber identity module 25 described with respect to the previousembodiments as well.

Because each accelerator 30 in the array 26 is dedicated to a specialpurpose, its performance for a particular standard may be optimized. Thecontrol of each accelerator in the array 26 may be controlled by one ofthe processors 12 or 18. In some embodiments, the array 26 may beintegrated on a single integrated circuit.

Using symmetric, asymmetric, hashing and privacy algorithms, a varietyof security protocols can be serviced by the array 26 of accelerators30.

While the present invention has been described with respect to a limitednumber of embodiments, those skilled in the art will appreciate numerousmodifications and variations therefrom. It is intended that the appendedclaims cover all such modifications and variations as fall within thetrue spirit and scope of this present invention.

What is claimed is:
 1. An apparatus comprising: a processor, saidprocessor to execute first and second code sequences, said processorincluding a storage having a virtual memory space and said processoradapted to detect instructions directed to addresses associated withsaid virtual memory space, to identify which of said first and secondcode sequences issued said instructions to an address associated withsaid virtual memory space and to allow the first code sequence thatissued instructions to said address but not the second code sequencethat did not issue instructions to said address, access to a resource;and a memory coupled to said processor.
 2. The apparatus of claim 1wherein said apparatus detects instructions directed to said memoryspace by comparing the addresses of said instructions to the addressescorresponding to said virtual memory space.
 3. The apparatus of claim 1wherein said apparatus only allows instructions directed to said memoryspace to access cryptographic functions.
 4. The apparatus of claim 1wherein said resource including a plurality of cryptographicaccelerators each for different cryptographic techniques.
 5. Theapparatus of claim 4 including a data encryption standard algorithmaccelerator.
 6. The apparatus of claim 5 including a Rijndael algorithmaccelerator.
 7. The apparatus of claim 5 including at least threedifferent hardware cryptographic algorithm accelerators..
 8. Theapparatus of claim 7 including an integrated circuit including all ofsaid cryptographic accelerators.
 9. The apparatus of claim 1 whereinsaid resource to implement a security protocol to accomplish asubscriber identity module function.
 10. The apparatus of claim 1wherein said apparatus is a cellular telephone.
 11. The apparatus ofclaim 1 wherein said processor is an application processor and said codesequences are applications.
 12. The apparatus of claim 11 wherein saidapparatus is a cellular telephone.
 13. The apparatus of claim 12including a die containing said application processor wherein saidfunction is implemented on said die.
 14. The apparatus of claim 12wherein said function and said processor are on the same die.
 15. Theapparatus of claim 12 wherein said function is integrated with anapplication processor.
 16. The apparatus of claim 12 wherein thefunction is integrated as a portion of the application processor.
 17. Amethod comprising: integrating a processor with a storage having avirtual memory space associated with a particular address; detectinginstructions directed to said address associated with said virtualmemory space; detecting whether a first or a second code sequence isdirecting instructions to access said address; and granting access tothe first code sequence that directed instructions to said addressaccess to a resource and denying access to the second code sequence thatdid not direct instructions to said address.
 18. The method of claim 17including assigning an address range to said virtual memory space. 19.The method of claim 17 including detecting instructions directed to saidmemory space by comparing the addresses of said instructions to theaddresses corresponding to said virtual memory space.
 20. The method ofclaim 17 including allowing only instructions addressed to said memoryspace to access a resource including cryptographic functions.
 21. Themethod of claim 20 including providing separate cryptographicaccelerators for a plurality of cryptographic techniques.
 22. The methodof claim 21 including providing a data encryption standard algorithmaccelerator.
 23. The method of claim 22 including providing a Rijndaelalgorithm accelerator.
 24. The method of claim 21 including providing atleast three different hardware cryptographic algorithm accelerators. 25.The method of claim 24 including providing said cryptographicaccelerators on the same integrated circuit.
 26. The method of claim 17including using said virtual memory space to implement a subscriberidentity module function.